[Zope-CMF] Changing Object Creator

[Flynt]

"Rolander, Dan" wrote:
> 
> Thanks for the info Flynt, but I'm afraid I don't possess enough zen to
> comprehend this yet. I've created an external method but I'm getting errors
> when trying to call it. What should the value of user be? Does it need to be
> the id of my user object? If so, how should I obtain that? (A little more
> code would help me).
> 
> Thanks,
> Dan

Hi Dan

I was looking into it a little bit and Tres Seavers gave a tip and Tim
McLaughlin posted an additional message as well. So, I am only
summarizing: 

First, Tres Seavers points out, that the creator in CMF is taken as the
*executable owner* (the one who created the document). Be carefull, not
to intermingle *owner* and *owner role*; there may be several users with
owner role for a document or folder, but there is always *only one*
owner. This is not necessarily the creator from the Dublin Core
Metadata, and so expect this to change in the future. See Tres' email at
(in case you missed it ;-):
http://lists.zope.org/pipermail/zope-cmf/2001-May/006700.html

I recommend very much working with the security audit tool from Tres; it
gives you a very nice summary (together with usual TTW security tab
views), when testing. In case you don't know it, here is the link:
http://www.zope.org/Members/tseaver/ZopeSecurityAudit
(Note: I get an attribute error when I have discussion items in the CMF,
otherwise, it works fine)

The easiest way, to change the creator in CMF would be (for now, at
least), to give the member which should become the new owner the manager
role, let him take the ownership of the documents in question and then
take away again the manager role from him. It worked for me.

Note: The *ancient* member then is not any longer the *executable
owner*, but he keeps still an additional owner role on the changed
documents (you can see this quite nicely with Tres Seavers Security
Audit product).

So, to clean up things, you have to take away the owner role of the
former *executable owner* after you are through the *Take Ownership*
stuff.

That said, this is also valid in case you use directly the
*changeOwnership* method in an external method in your CMF.

For all this stuff and differences of and between: *owner*, *owner
role*, *local role* and so on, you might like to read:
http://www.zope.org//Members/jim/ZopeSecurity/ServerSideTrojan
http://www.zope.org/Products/Zope/2.2.0/upgrading_to_220
http://www.zope.org/Documentation/How-To/ProductAuthorUpdateGuide/index_html


Then, for the *changeOwnership* method, Tim McLaughlin pointed out, that
*getUser* does not return an acquisition wrapped object, so the external
method has to wrap it. See his posting at:
(ok, not yet archived, so I quote:)
---SNIP---------------------------------
OK, here goes the evil workaround....
It seems that getUser does not return an acquisition wrapped object, so
make
your external method this to wrap it (thus giving ownerinfo the ability
to
determine the user db):

def setOwner(self, username):
    #note: this assumes that the closest User database houses 'username'
    user = self.acl_users.getUser(username)
    self.changeOwnership(user.__of__(self.acl_users))
    return 'done.'

--Tim McLaughlin (tmclaugh)
---SNIP-------------------------------------

I tried it (put the snippet in an external method, call the external
method from a DTML method and call the DTML method on my testdocument)
and it worked. This is actually the programmatic way of the *Take
Ownership* process through the TTW screen.

HTH

Flynt